Kerberoasting allows an attacker with initial, limited access to a network, often as a regular authenticated user, to steal service tickets that Kerberos grants for accessing various network resources. These tickets can then be decrypted offline to reveal service account passwords, especially if the passwords are weak. Attackers typically target service accounts because they often have elevated permissions and their passwords, being less frequently changed, are potentially more vulnerable.
The Kerberos protocol utilises tickets for authenticating service requests. These tickets contain encrypted information that can be safely decrypted only by the service’s account on the server. However, if the attacker can obtain a service ticket, they can attempt to ‘roast’ it, which involves brute force or dictionary attacks to guess the password. Once cracked, an attacker can use these credentials to move laterally within the network or elevate their privileges, sometimes leading to full domain compromise.
Kerberoasting can be mitigated by using complex passwords for service accounts, regularly monitoring and auditing account usage, and limiting the number of service accounts with elevated privileges. Security teams should also use network defenses capable of detecting suspicious activity, such as repeated requests for service tickets, to alert administrators to the possibility of ongoing Kerberoasting attempts.
- Exploits Kerberos service tickets to uncover service account passwords
- Relies on offline decryption, typically with brute force methods
- Tends to target service accounts due to their higher privileges and weaker password policies
- Can be mitigated through strong password policies and vigilant monitoring
- Real-World Example: An attacker gains access to a corporate network using a phished employee’s credentials. Upon gaining access, they request tickets for all available services, export these tickets, and then use another system to Kerberoast these tickets, attempting to find a weak service account password.
- Hypothetical Scenario: In a penetration testing simulation, a security professional uses tools like Mimikatz to perform Kerberoasting, successfully uncovering weak passwords that could potentially allow access to sensitive areas of the network.
- Kerberos: An authentication protocol for networks that issues tickets to allow nodes to prove their identity to one another in a secure manner.
- Active Directory (AD): Microsoft’s directory service for Windows domain networks, where Kerberos is often used as the authentication protocol.
- Brute Force Attack: A trial-and-error method used to decode encrypted data such as Kerberos tickets, which is essential to the Kerberoasting attack technique.
- Lateral Movement: A cyberattack pattern that describes the techniques cyber attackers use to move progressively through a network in search of key data and assets.